From 1f1b6d88642e906049a6e0338f03078de1ca0ffe Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 17:04:37 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-28367 rule --- .../crowdsecurity/vpatch-CVE-2025-28367.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml new file mode 100644 index 00000000000..5694b813346 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-05-07 17:04:33 +name: crowdsecurity/vpatch-CVE-2025-28367 +description: 'Detects directory traversal in mojoPortal BetterImageGallery API Controller (CVE-2025-28367)' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /api/betterimagegallery/imagehandler + - zones: + - ARGS + variables: + - path + transform: + - lowercase + - urldecode + match: + type: contains + value: ../ + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'MojoPortal - LFI' + classification: + - cve.CVE-2025-28367 + - attack.T1006 + - cwe.CWE-284 From 8210227ebe7e15c209c024dd2953b0b176c708a4 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 17:04:39 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-28367 test config --- .appsec-tests/vpatch-CVE-2025-28367/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-28367/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-28367/config.yaml b/.appsec-tests/vpatch-CVE-2025-28367/config.yaml new file mode 100644 index 00000000000..80bdc7f6a5e --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-28367/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-05-07 17:04:33 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml +nuclei_template: CVE-2025-28367.yaml From d047f69bafd1ea0c4f07bfed036f3a90a08a52f1 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 17:04:40 +0200 Subject: [PATCH 3/4] Add CVE-2025-28367 test --- .../vpatch-CVE-2025-28367/CVE-2025-28367.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml b/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml new file mode 100644 index 00000000000..c8438937918 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml @@ -0,0 +1,17 @@ +## autogenerated on 2025-05-07 17:04:33 +id: CVE-2025-28367 +info: + name: CVE-2025-28367 + author: crowdsec + severity: info + description: CVE-2025-28367 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/api/BetterImageGallery/imagehandler?path=../../../Web.Config" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From dc1dc8620757777fc9f2fc9e525fcd1adeade3b9 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 17:04:42 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-28367 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..d0049dd92dc 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2025-28367 author: crowdsecurity contexts: - crowdsecurity/appsec_base